Keyserver/security bug 1447 (and 1446 too)

Werner Koch wk at gnupg.org
Sun Dec 2 12:22:28 CET 2012


On Sun,  2 Dec 2012 06:34, gnupg-devel at spodhuis.org said:
> Hi, wondering if the bug-tracker is considered stale and the devel
> mailing-list is preferred, as there's been no reaction to a security
> impacting bug (1447) while the lesser 1446 which was mentioned on-list

I don't consider this a security bug.  Search for discussions related to
TLS access to keyservers.  It has always been the case that you can get
arbitrary data from keyservers.  Keyservers provide no security at all!
They are just a convenient way to distribute keys which usually works.

Right, it might be used to inhibit the receiving of revocation
certificates.  However, there are many other ways of doing that.  In
case of a compromise, it is good practise to send out revocation
certificates by private mail this has a better chance that they are
actually noticed.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list